It's a large number of minor points. Nothing shocking, no huge issues, and of course nothing we didn't already know. The crypto is good, if you manage it well it stands up to the NSA as far as we know... Sure, it has flaws that make it hard to use in general, and hard to use securely (no long term keys, for example, would make me less paranoid about my private key), but it's still fine despite having huge backwards compatibility.
The author is overly dramatic about it in order to make a point, to hopefully get people looking for alternatives, so that a good one might take it from pgp in the future (and continues to suggest whatsapp and signal, like, really? That's your replacement for pgp?).
It's not. This is detailed in the piece. What do you think it gets wrong?
That's your replacement for pgp?
One of the key points is that by now we know PGP is a bad idea conceptually. There can't be a replacement for PGP. This is a bit like asking what what's to replace mummification now that we know it doesn't really grant access to the afterlife.
If the base of their site was served from an auto updated base, there's no reason why it couldn't be pretty much as secure as a platform.
Say it's a frontend over a Docker image that gets updated upstream for security issues, and the server has a Cron job that keeps it up to date.
Why couldn't that work?
I know there's some centralisation around the Docker image, but that could be open source or provided by someone like Mozilla or Apache or WordPress who we can trust.
And there's no reason why the user couldn't choose from a whole ecosystem of image providers with a simple enough UI
>served from an auto updated base, there's no reason why it couldn't be pretty much as secure as a platform. [...] Docker image that gets updated upstream for security issues [...] Why couldn't that work?
The update process itself acts as an attack vector. Even the techies like programmers can get pwned with trusted repositories that suddenly became untrusted.[0][1][2]
A decentralized server appliance of powerful sophistication that requires updates will require a baseline level of technical expertise. So far, even the less sophisticated hardware like wifi cameras and Nest devices are leaving unwitting homeowners exposed to criminals and unwanted spying.[3][4]
